Veracode XML External Entity Reference (XXE)

java security veracode xxe
14,438

Solution 1

Have you seen the OWASP guide about XXE?

You are not disabling the 3 features you should disable. Most importantly the first one:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Solution 2

Background:

The XXE attack is constructed around XML language capabilities to define arbitrary entities using the external Data Type Definition (DTD) and the ability to read or execute files.

Below is an example of XML file containing DTD declaration that when processed may return output of local “/etc/passwd” file:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE test [
    <!ELEMENT test ANY >
    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Mitigation:

To avoid exploitation of XEE vulnerability the best approach is to disable the ability to load entities from external source.

Now the way to disable the DTDs will defer depending upon the language used (Java,C++, .NET) and the XML parser being used (DocumentBuilderFactory, SAXParserFactory, TransformerFactory to name a few considering the java language).

Below two official references provides the best information on how to achieve the same.

https://rules.sonarsource.com/java/RSPEC-2755

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md

Share:
14,438
Jose Miguel
Author by

Jose Miguel

By day: Programmer vb .net j2ee, jquery, javascript, angular, angular JS, database(oracle sqlserver mysql) Sports, Adventurer. By night:Batman.

Updated on August 03, 2022

Comments

  • Jose Miguel
    Jose Miguel almost 2 years

    I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow

    ...

      DocumentBuilderFactory dbf=null;      
  DocumentBuilder db = null;    
  try {         
        dbf=DocumentBuilderFactory.newInstance();  
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 
        dbf.setExpandEntityReferences(false); 
        dbf.setXIncludeAware(false);        
        dbf.setValidating(false); 
        dbf.newDocumentBuilder();   
        InputStream stream = new ByteArrayInputStream(datosXml.getBytes());
        Document doc = db.parse(stream, "");

    ...

    I've been researching but I haven't found out a reason for this finding or a way of making it disappear. Could you tell me how to do it?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to resolve CWE-259: Use of Hard-coded Password?
How to resolve External Control of File Name or Path (CWE ID 73)
How to fix Trust Boundary Violation flaw in Java Web application
Java Applet is not running in a browser
How to generate an 2048-bit DSA key pair for Java?
Java 8 Update 20 Missing security options
Which JAR contains the weblogic.servlet.security.ServletAuthentication class?
Java Webstart attempt to sandboxed jar as "Trusted-Library"
BouncyCastle in Java
How do I integrate HSM encryption with JAVA?